{ "type": "Domain", "indicator": "data.link", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/data.link", "alexa": "http://www.alexa.com/siteinfo/data.link", "indicator": "data.link", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3188272998, "indicator": "data.link", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 8, "pulses": [ { "id": "68adee67c08cd025b05c2ab0", "name": "Collection of Collections - Updated - Malicious Certificates & University of Alberta DataBreach - 09.15.25.25", "description": "This Pulse is an attempt to aggregate all known certificates from all sources.\n\nEncrypted Communication: The malware uses Bitcoin and Ethereum addresses for communication, allowing it to receive commands and exfiltrate data securely.\nEvasion Techniques: The malware generates long and unusual domain parts using Domain Generation Algorithms to evade detection and establish communication with its C2 server.\nData Exfiltration: The malware can exfiltrate data to cloud storage services, enabling the threat actor to steal sensitive information from the compromised system.\nRemote Access: The malware leverages bidirectional communication and system binary proxy execution techniques to enable remote access and control over the infected system.\nIngress Tool Transfer: The malware downloads executable files from URLs, indicating its ability to download additional malicious payloads or updates to enhance its capabilities.", "modified": "2025-10-16T05:02:02.452000", "created": "2025-08-26T17:27:01.650000", "tags": [ "http", "https", "kgs0", "kls0", "Malcerts", "Certificates", "Alberta", "GovAB", "UAlberta", "Speader" ], "references": [ "https://www.virustotal.com/graph/embed/g0cfdc207f7d14c9a9173c2f9b804dd92b17706ef2a8c41dba3e0af36353cd70b?theme=dark", "https://viz.greynoise.io/ip/analysis/408b56e2-1932-4975-b348-5a8a7c5991d4", "https://report.netcraft.com/submission/ATkcJjvq2iKUQhELceQs7q4WVU76Q8QG - Submitted IPv4s to Netcraft 08.29.25", "https://www.filescan.io/uploads/68b261771c81c34281d8af6d/reports/44924eb0-000d-42ad-944e-36bf849a406d/overview", "https://www.virustotal.com/gui/file/19ec86ce10a716e8e63804239052c96cfa0a7fb66c2820bda2e66358f622525c/community", "Added some URLs from FSio Report to URLScan" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Aruba", "Panama", "Poland", "Ukraine", "United Kingdom of Great Britain and Northern Ireland", "Anguilla", "United Arab Emirates", "Ireland", "Tanzania, United Republic of", "Philippines", "Japan", "Guatemala", "Mexico", "Bahamas", "Barbados", "Georgia", "Slovakia", "Sint Maarten (Dutch part)", "Kenya" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Government", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1639, "FileHash-MD5": 1481, "FileHash-SHA1": 1421, "FileHash-SHA256": 5969, "domain": 707, "hostname": 2311, "email": 5, "CIDR": 13 }, "indicator_count": 13546, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d9aa3446a826d09e3fcbd1", "name": "SSL [.] com - (Unenriched)", "description": "Analysis of phishing domain/service - ssl dot com\n\nUpdated 04.09.25: was able to pull IOCs from graph (vT): https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark", "modified": "2025-05-08T21:00:41.641000", "created": "2025-03-18T17:15:32.007000", "tags": [ "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "javascript", "ansi", "pcap processing", "pcap", "prefetch8 ansi", "united", "date", "threat level", "show process", "hash seen", "programfiles", "win64", "comspec", "suspicious", "model", "hybrid", "close", "click", "hosts", "service", "general", "path", "encrypt", "strings", "contact", "SSL" ], "references": [ "https://www.filescan.io/uploads/67d9a1b50a7899f3579c2e15/reports/e94f370c-9b21-4fc7-be6d-a23f17a236a0/ioc", "https://hybrid-analysis.com/sample/225749540c7c585ae4567062cfb85980f0966cc3386540b5259471b8e2e5315e", "https://www.virustotal.com/gui/domain/ssl.com/details", "https://hybrid-analysis.com/sample/225749540c7c585ae4567062cfb85980f0966cc3386540b5259471b8e2e5315e/67d9a21c369b542db10921d1", "https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c/iocs", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c/summary", "https://metadefender.com/results/url/aHR0cDovL3NzbC5jb20=", "https://pastebin.com/yYxyUWra - 03.18.25 = Paste to CERT Related Pulses/References", "https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark - 04.09.25" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Technology", "Education", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218, "FileHash-MD5": 80, "FileHash-SHA1": 80, "FileHash-SHA256": 462, "domain": 31, "hostname": 225, "SSLCertFingerprint": 15, "email": 10 }, "indicator_count": 1121, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "388 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678dd7c763b29de06765fb52", "name": "hxxps://www[.]unitedconservative[.]ca/ - 01.19.25", "description": "Alberta UCP Compromise (i.e. potential evidence of active foreign interference).\n\nhttps://www.virustotal.com/graph/embed/g3fdc926b2208411e8b138e8bd7069b721b2586a3a1b3445aa4f70a932701ccbe?theme=dark", "modified": "2025-02-19T05:02:21.540000", "created": "2025-01-20T04:57:43.300000", "tags": [ "pentester", "javascript", "completed", "risk", "load", "web application", "firewall", "google search", "ssl certificate", "http", "create account", "critical", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "eci3", "eci4", "p1737345680749", "gaz1", "uaax86", "uab64", "sid1737345681", "sct1", "seg0", "nsi1", "url", "sandbox", "scanner", "reputation", "phishing", "hash", "miss", "eval", "first seen", "fastly", "gmt file", "linux x8664", "accept", "fingerprint", "loading", "path", "patch", "write", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://app.pentester.com/scans/U2NhblR5cGU6NDcwNDM5Mw==", "https://www.filescan.io/uploads/678dca8c2d219e36112b2dd4/reports/1d6e1a12-c26b-4506-aeb4-a8f539b75bee/overview", "https://urlquery.net/report/0b60a80e-d3a5-4ca3-8644-190f32f28c65", "http://www.hybrid-analysis.com/sample/c047a23d603e9babce4db32175ecad13f5209027f24772908879d40bb392cefe", "https://www.virustotal.com/gui/url/6314e10278e55b5f02aa1f8e588ad7e20bf90534cd813c7eff24d261e8dc4250" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 734, "domain": 486, "email": 8, "hostname": 346, "FileHash-SHA256": 1814, "FileHash-MD5": 363, "FileHash-SHA1": 361, "SSLCertFingerprint": 24 }, "indicator_count": 4136, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "467 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d8ccb5b39c5a895bd0d7c2", "name": "More Certificates - A closer inspection of Accumulated Certs", "description": "An accumulation of Certificates from random places I find them - all from devices that have come into contact w. University of Alberta\nInteresting: https://www.trendmicro.com/en_us/research/21/i/analyzing-ssl-tls-certificates-used-by-malware.html", "modified": "2024-06-25T22:01:15.361000", "created": "2024-02-23T16:49:57.448000", "tags": [ "Certificates" ], "references": [ "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305/summary", "https://www.virustotal.com/graph/embed/g157209fb9f6643a8bc819522fd9e644c70ae0f541aa347b4aa19b1636ee6d556?theme=dark", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/65d8c22c9a6367d4742ddd59", "https://www.virustotal.com/gui/collection/d6ec969e2e2b76f2bdb3b75595c50b9bfea53d730e2be98936896a3d110c3531", "https://www.virustotal.com/gui/collection/d6ec969e2e2b76f2bdb3b75595c50b9bfea53d730e2be98936896a3d110c3531/iocs", "https://www.proofpoint.com/us/blog/cloud-security/community-alert-ongoing-malicious-campaign-impacting-azure-cloud-environments", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9/iocs", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305/iocs", "https://viz.greynoise.io/analysis/6d4e20f2-7e0c-4d31-83a6-f973343f4dd1", "https://viz.greynoise.io/analysis/5f89eddc-2668-47a2-8f6b-d4d81a31180c", "https://us-test-sandbox.recordedfuture.com/240617-g49essyaqa", "https://us-test-sandbox.recordedfuture.com/240617-h4dhsszdkg", "https://us-test-sandbox.recordedfuture.com/240617-h53t3stfmj", "https://us-test-sandbox.recordedfuture.com/240617-jak68azfqa", "https://us-test-sandbox.recordedfuture.com/240617-h73bbszepa", "https://tria.ge/240617-g49essyaqa/behavioral1", "https://www.virustotal.com/graph/embed/g5d8ecedaf40940ec8c84636da79426ec6a5f316d51874b499b47a02a8cef4a21?theme=dark" ], "public": 1, "adversary": "Unknown", "targeted_countries": [ "Canada", "United States of America", "Germany", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1431, "CIDR": 1, "FileHash-MD5": 777, "FileHash-SHA1": 750, "URL": 1647, "domain": 572, "hostname": 526 }, "indicator_count": 5704, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "705 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661eb1a25bebe7ba625d3911", "name": "Catch of the Day - GreyNoise & URLscan - 04.15.24", "description": "Submitted to URLscan.io (04.15.24)\nand Greynoise.io (04.15.24)", "modified": "2024-05-16T17:03:57.859000", "created": "2024-04-16T17:13:06.584000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/4f7b46232272af163094a112706688ee89392e3643071042468b87b3f6cd49d6/graph", "https://www.virustotal.com/gui/collection/4f7b46232272af163094a112706688ee89392e3643071042468b87b3f6cd49d6/iocs", "https://viz.greynoise.io/analysis/9d0c02d0-24a8-4624-bbd7-cc7335f0a438" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 10, "domain": 17, "hostname": 86 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "745 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65336ac2b48ca82aeb55aeed", "name": "Woodynet.net,Id3.net and me.", "description": "The saga continues - But without invoking the jinx I'll focus on the data: Woodynet.net and Id3.net have been my (notso)friendly unoptoutable-dns-resolvers i'm assuming since all of this kicked off now nearing over 1.5+ years ago. I was finally able to dump my iPhone12 in which I had had since this all started and with that really gain some leg and breathing room. But, I'm still being pumped malicious software in the form of ISO's, linux packages, Windows Updates, and so on. And these are the nexus right here. I was able to net a solid bounty from Hybrid-Analysis including 15+ trojans, about 10 different backdoors, and a slew of other collateral that honestly surprised me as Criminalip and OTX weren't wanting to speak the same language in terms of IOC translations from them to the pulse. I'm trying in vain to find the beacon(s) or whatever they're using to keep persistence.", "modified": "2024-02-14T21:43:43.324000", "created": "2023-10-21T06:08:02.798000", "tags": [ "ip lookup", "port check", "vulnerability scanner", "attack surface", "cyber threat intelligence", "cti", "asm", "domain", "exploit", "phishing", "ip address", "united", "criminal", "historical", "information", "ai spera", "search engine", "ip search", "english english", "franais", "contact", "china", "ip location", "ip owner", "internet", "ip locator", "remember", "dp ip", "ip checker", "lookup", "strong", "summary", "ip information", "pricing login", "score", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "windows nt", "threat level", "runtime data", "okserver", "date", "ffffff", "plugin", "path", "stop", "mask", "accept", "click", "prop", "error", "template", "class", "core", "span", "body", "suspicious", "back", "cluster", "null", "form", "zbot", "bounce", "this", "linear", "window", "ticker", "tick", "import", "orbit", "config", "main", "android", "cookie", "trident", "vidc", "hybrid", "close", "hosts", "general", "local", "mozilla", "strings", "podcast", "team", "june", "criminal ip", "engine", "resource", "dropped file", "pattern match", "script", "noscript", "connectivity", "bare metal", "iframe", "enterprise", "discord", "twitter", "facebook", "meta", "media", "story", "tools", "tokyo", "rocket", "fullscreen", "next", "small", "bare", "font", "helvetica", "arial", "tbody", "dnssec", "woodynet", "paris", "hong", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://www.criminalip.io/asset/report/69.166.14.38", "https://www.criminalip.io/asset/report/114.215.222.125", "https://dnschecker.org/ip-location.php?ip=31.204.146.148", "https://www.criminalip.io/domain/report?scan_id=8544746", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/5efec3f6b03bcb74f200310b", "https://www.criminalip.io/images/search/domain/category/icon_page_redirections.svg", "https://www.criminalip.io/domain/report?scan_id=8544687", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/653366aac5f632cbbf0f0000", "https://hybrid-analysis.com/sample/020fe56e2d49ead60b67a1e20b43ee0846c493c7edb3118b34c5c964fc131794/6533667318fa4c29320ec174", "https://hybrid-analysis.com/sample/2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unknown", "display_name": "Unknown", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 268, "hostname": 50, "domain": 61, "FileHash-MD5": 112, "FileHash-SHA1": 110, "FileHash-SHA256": 110, "email": 9 }, "indicator_count": 720, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "626078c9aeb1f4837a1bfc7e", "name": "Malware hosting - allwest.com", "description": "\u00c2\u00a31.5m, \u00e2\u201a\u00ac2.4m \u00c3\u20ac\u00a6, is the source of a new version of the JavaScript code, which is being developed by the Apache web browser.", "modified": "2022-05-20T00:01:19.453000", "created": "2022-04-20T21:19:05.670000", "tags": [ "guji", "regexp", "cfunction", "event", "afunction", "efunction", "function", "xfunction", "jnull", "yefunction", "customevent", "typeof n", "typeof wpcf7", "nonce", "script", "please do", "not copy", "and paste", "this code", "cgrecaptchacfg", "ngrecaptcha", "recaptchaapi", "render", "filter", "typenumber", "totalvalue", "linear", "secs", "index", "nameregion", "typevalue", "rangeto", "customuserspeed", "code", "typeof define", "date", "click", "smoothscroll", "number", "property", "fancybox", "null", "false", "scroll", "stop", "speed", "body", "error", "this", "typeerror", "symbol", "generator", "typeof e", "copyright", "closure library", "reduceright", "string", "aw981889198", "uint8array", "quota", "aafunction", "void", "hj", "object", "hotjar", "email", "typeof symbol", "telefon", "array", "survey", "meta", "cookie", "keypress", "trident", "live", "fullscreen", "generic", "window", "widget", "ciudad", "adore", "experiment", "mutation", "qe", "fnumber", "xhfunction", "yhfunction", "awconversionid", "g0cbkgbkb3j", "xdfunction", "adfunction", "cdfunction", "ddfunction", "typeof hj", "surveyv2", "surveyisolated", "heatmapviewer", "notification", "sentry", "ua411335272", "gfvhxsm5zyl", "xmlhttprequest", "domparser", "typeof module", "html tags", "ox20trnf", "dom element", "typeof t", "class", "attr", "pseudo", "child", "udc66udc67", "ud83d", "ufe0f", "ud83e", "udc68udc69", "udfcbudfcc", "u2640u2642", "source", "image", "ud83dudc6cud83c", "bsnull", "gtmmwm9r93", "typeof", "facebook pixel", "pixel code", "iterator", "constantvalue", "globalvariable", "facebook", "service", "phonenumber", "boolean", "select", "strong", "input", "iframe", "android", "verify", "span", "enterprise", "form", "reload", "adwords", "linkedin", "hs pixel", "loader", "addcookiedomain", "hubspot", "vui", "anda", "tente", "outubro", "trackingclient", "srpanj", "rabu", "vasaris", "helvetica neue", "helvetica", "arial", "accept", "n nn", "policy", "done", "800px", "40px", "i18n", "blockedemail", "typeof i18n", "captcha", "please", "april", "august", "close", "february", "june", "klik", "download", "next", "blank", "este", "rserver", "mais", "r300", "typeof d", "path", "caca", "pfunction", "contenttype", "zfunction", "bfunction", "mvoid", "ofunction", "array int8array", "caregexp", "legacy" ], "references": [ "xfe-URL-allwest.com-stix2-2.1-export.json", "https://www.googleadservices.com/pagead/conversion_async.js", "https://www.google-analytics.com/analytics.js", "https://www.googletagmanager.com/gtag/js?id=G-FVHXSM5ZYL&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtag/js?id=G-0CBKGBKB3J&l=dataLayer&cx=c", "https://js.hsleadflows.net/leadflows.js", "https://js.hs-banner.com/9251231.js", "https://js.hs-analytics.net/analytics/1650488100000/9251231.js", "https://js.hsadspixel.net/fb.js", "https://www.gstatic.com/recaptcha/releases/QENb_qRrX0-mQMyENQjD6Fuj/recaptcha__en.js", "https://connect.facebook.net/signals/config/661596171311072?v=2.9.57&r=stable", "https://connect.facebook.net/signals/plugins/identity.js?v=2.9.57", "https://connect.facebook.net/en_US/fbevents.js", "https://www.googleoptimize.com/optimize.js?id=GTM-MWM9R93", "https://www.allwest.com/wp-includes/js/wp-emoji-release.min.js?ver=5.9.3", "https://www.allwest.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.0", "https://www.allwest.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2", "https://www.allwest.com/wp-content/plugins/svg-support/js/min/svgs-inline-min.js?ver=1.0.0", "https://www.googletagmanager.com/gtag/js?id=UA-41133527-3", "https://static.hotjar.com/c/hotjar-2836981.js?sv=5", "https://www.googletagmanager.com/gtag/js?id=UA-41133527-2", "https://www.googletagmanager.com/gtag/js?id=AW-CONVERSION_ID", "https://script.hotjar.com/modules.0076bf93c385ddf0ff58.js", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/981889198/?random=1650488340057&cv=9&fst=1650488340057&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2oa4i1&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fwww.allwest.com%2F&tiba=All%20West%20Communications%20-%20telecommunication%20company&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://www.googletagmanager.com/gtag/js?id=AW-981889198", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/981889198/?random=1650488340630&cv=9&fst=1650488340630&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2oa4i1&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fwww.allwest.com%2F&tiba=All%20West%20Communications%20-%20telecommunication%20company&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://www.allwest.com/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.9", "https://www.allwest.com/wp-content/uploads/hummingbird-assets/c4be4d65e707f6328e3a72e79cfdfcb7.js", "https://www.allwest.com/wp-content/themes/allwestcommunications/js/jquery.main.js?ver=5.9.3", "https://www.allwest.com/wp-content/themes/allwestcommunications/js/custom.js?ver=5.9.3", "https://www.google.com/recaptcha/api.js?render=6Ld8S6EUAAAAAExG_6DO_Jj4DLY35ybebbA8R_eA&ver=3.0", "https://www.allwest.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=5.5.6", "https://www.allwest.com/wp-content/plugins/wp-smushit/app/assets/js/smush-lazy-load.min.js?ver=3.9.5", "https://js.hs-scripts.com/9251231.js" ], "public": 1, "adversary": "", "targeted_countries": [ "Tunisia" ], "malware_families": [ { "id": "hj", "display_name": "hj", "target": null }, { "id": "Qe", "display_name": "Qe", "target": null }, { "id": "Vui", "display_name": "Vui", "target": null }, { "id": "Outubro", "display_name": "Outubro", "target": null }, { "id": "Tente", "display_name": "Tente", "target": null }, { "id": "Anda", "display_name": "Anda", "target": null }, { "id": "Vasaris", "display_name": "Vasaris", "target": null }, { "id": "Rabu", "display_name": "Rabu", "target": null }, { "id": "Srpanj", "display_name": "Srpanj", "target": null }, { "id": "TrackingClient", "display_name": "TrackingClient", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 821, "URL": 1568, "domain": 251, "FileHash-SHA256": 70, "FileHash-MD5": 4, "FileHash-SHA1": 1 }, "indicator_count": 2715, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://us-test-sandbox.recordedfuture.com/240617-h73bbszepa", "https://js.hs-scripts.com/9251231.js", "https://www.allwest.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://www.virustotal.com/gui/collection/4f7b46232272af163094a112706688ee89392e3643071042468b87b3f6cd49d6/iocs", "https://js.hs-analytics.net/analytics/1650488100000/9251231.js", "https://www.virustotal.com/gui/file/19ec86ce10a716e8e63804239052c96cfa0a7fb66c2820bda2e66358f622525c/community", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305/summary", "https://www.criminalip.io/images/search/domain/category/icon_page_redirections.svg", "Thor Scan: S-I9VvMTB6cZU", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305/iocs", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://connect.facebook.net/signals/config/661596171311072?v=2.9.57&r=stable", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://www.google.com/recaptcha/api.js?render=6Ld8S6EUAAAAAExG_6DO_Jj4DLY35ybebbA8R_eA&ver=3.0", "https://www.allwest.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=5.5.6", "https://www.allwest.com/wp-content/themes/allwestcommunications/js/jquery.main.js?ver=5.9.3", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/981889198/?random=1650488340630&cv=9&fst=1650488340630&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2oa4i1&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fwww.allwest.com%2F&tiba=All%20West%20Communications%20-%20telecommunication%20company&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://app.pentester.com/scans/U2NhblR5cGU6NDcwNDM5Mw==", "https://www.allwest.com/wp-content/uploads/hummingbird-assets/c4be4d65e707f6328e3a72e79cfdfcb7.js", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://www.virustotal.com/gui/domain/ssl.com/details", "https://www.allwest.com/wp-includes/js/wp-emoji-release.min.js?ver=5.9.3", "Added some URLs from FSio Report to URLScan", "https://www.gstatic.com/recaptcha/releases/QENb_qRrX0-mQMyENQjD6Fuj/recaptcha__en.js", "https://hybrid-analysis.com/sample/225749540c7c585ae4567062cfb85980f0966cc3386540b5259471b8e2e5315e/67d9a21c369b542db10921d1", "https://us-test-sandbox.recordedfuture.com/240617-h53t3stfmj", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://www.virustotal.com/graph/embed/g0cfdc207f7d14c9a9173c2f9b804dd92b17706ef2a8c41dba3e0af36353cd70b?theme=dark", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/65d8c22c9a6367d4742ddd59", "https://www.virustotal.com/gui/collection/4f7b46232272af163094a112706688ee89392e3643071042468b87b3f6cd49d6/graph", "https://www.allwest.com/wp-content/plugins/wp-smushit/app/assets/js/smush-lazy-load.min.js?ver=3.9.5", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.allwest.com/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.9", "https://www.googletagmanager.com/gtag/js?id=AW-981889198", "https://viz.greynoise.io/analysis/6d4e20f2-7e0c-4d31-83a6-f973343f4dd1", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://www.filescan.io/uploads/67d9a1b50a7899f3579c2e15/reports/e94f370c-9b21-4fc7-be6d-a23f17a236a0/ioc", "https://www.proofpoint.com/us/blog/cloud-security/community-alert-ongoing-malicious-campaign-impacting-azure-cloud-environments", "https://js.hsleadflows.net/leadflows.js", "https://www.googletagmanager.com/gtag/js?id=G-0CBKGBKB3J&l=dataLayer&cx=c", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://www.allwest.com/wp-content/plugins/svg-support/js/min/svgs-inline-min.js?ver=1.0.0", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c/summary", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9/iocs", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://www.criminalip.io/domain/report?scan_id=8544687", "https://hybrid-analysis.com/sample/225749540c7c585ae4567062cfb85980f0966cc3386540b5259471b8e2e5315e", "https://connect.facebook.net/en_US/fbevents.js", "https://urlquery.net/report/0b60a80e-d3a5-4ca3-8644-190f32f28c65", "https://www.googletagmanager.com/gtag/js?id=UA-41133527-2", "https://script.hotjar.com/modules.0076bf93c385ddf0ff58.js", "https://www.virustotal.com/gui/collection/d6ec969e2e2b76f2bdb3b75595c50b9bfea53d730e2be98936896a3d110c3531/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "xfe-URL-allwest.com-stix2-2.1-export.json", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://www.virustotal.com/graph/embed/g5d8ecedaf40940ec8c84636da79426ec6a5f316d51874b499b47a02a8cef4a21?theme=dark", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "https://tria.ge/240517-t9pc2ahb2t", "All - EnterpriseAppsList.csv", "https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark - 04.09.25", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://www.criminalip.io/asset/report/114.215.222.125", "https://www.allwest.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.0", "https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark", "https://tria.ge/240617-g49essyaqa/behavioral1", "https://dnschecker.org/ip-location.php?ip=31.204.146.148", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/graph/embed/g157209fb9f6643a8bc819522fd9e644c70ae0f541aa347b4aa19b1636ee6d556?theme=dark", "https://www.google-analytics.com/analytics.js", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://metadefender.com/results/url/aHR0cDovL3NzbC5jb20=", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/d6ec969e2e2b76f2bdb3b75595c50b9bfea53d730e2be98936896a3d110c3531", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c/iocs", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/653366aac5f632cbbf0f0000", "https://www.allwest.com/wp-content/themes/allwestcommunications/js/custom.js?ver=5.9.3", "https://viz.greynoise.io/analysis/5f89eddc-2668-47a2-8f6b-d4d81a31180c", "https://www.googletagmanager.com/gtag/js?id=G-FVHXSM5ZYL&l=dataLayer&cx=c", "https://connect.facebook.net/signals/plugins/identity.js?v=2.9.57", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/981889198/?random=1650488340057&cv=9&fst=1650488340057&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2oa4i1&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fwww.allwest.com%2F&tiba=All%20West%20Communications%20-%20telecommunication%20company&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://us-test-sandbox.recordedfuture.com/240617-jak68azfqa", "https://us-test-sandbox.recordedfuture.com/240617-h4dhsszdkg", "AppRegistrationList.csv", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://www.filescan.io/uploads/68b261771c81c34281d8af6d/reports/44924eb0-000d-42ad-944e-36bf849a406d/overview", "https://www.virustotal.com/gui/url/6314e10278e55b5f02aa1f8e588ad7e20bf90534cd813c7eff24d261e8dc4250", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/5efec3f6b03bcb74f200310b", "https://www.googletagmanager.com/gtag/js?id=UA-41133527-3", "https://www.filescan.io/uploads/678dca8c2d219e36112b2dd4/reports/1d6e1a12-c26b-4506-aeb4-a8f539b75bee/overview", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://www.criminalip.io/asset/report/69.166.14.38", "https://www.criminalip.io/domain/report?scan_id=8544746", "https://viz.greynoise.io/ip/analysis/408b56e2-1932-4975-b348-5a8a7c5991d4", "https://js.hs-banner.com/9251231.js", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://hybrid-analysis.com/sample/020fe56e2d49ead60b67a1e20b43ee0846c493c7edb3118b34c5c964fc131794/6533667318fa4c29320ec174", "https://viz.greynoise.io/analysis/9d0c02d0-24a8-4624-bbd7-cc7335f0a438", "https://www.googleoptimize.com/optimize.js?id=GTM-MWM9R93", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "http://www.hybrid-analysis.com/sample/c047a23d603e9babce4db32175ecad13f5209027f24772908879d40bb392cefe", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://www.googleadservices.com/pagead/conversion_async.js", "https://pastebin.com/yYxyUWra - 03.18.25 = Paste to CERT Related Pulses/References", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://us-test-sandbox.recordedfuture.com/240617-g49essyaqa", "https://static.hotjar.com/c/hotjar-2836981.js?sv=5", "https://report.netcraft.com/submission/ATkcJjvq2iKUQhELceQs7q4WVU76Q8QG - Submitted IPv4s to Netcraft 08.29.25", "https://www.googletagmanager.com/gtag/js?id=AW-CONVERSION_ID", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://hybrid-analysis.com/sample/2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e", "https://js.hsadspixel.net/fb.js" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [ "Unknown" ], "malware_families": [ "Srpanj", "Outubro", "Anda", "Hj", "Vui", "Trackingclient", "Reduceright", "Rabu", "Vasaris", "Qe", "Unknown", "Tente" ], "industries": [ "Government", "Individuals", "Healthcare", "Telecommunications", "Education", "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 8, "pulses": [ { "id": "68adee67c08cd025b05c2ab0", "name": "Collection of Collections - Updated - Malicious Certificates & University of Alberta DataBreach - 09.15.25.25", "description": "This Pulse is an attempt to aggregate all known certificates from all sources.\n\nEncrypted Communication: The malware uses Bitcoin and Ethereum addresses for communication, allowing it to receive commands and exfiltrate data securely.\nEvasion Techniques: The malware generates long and unusual domain parts using Domain Generation Algorithms to evade detection and establish communication with its C2 server.\nData Exfiltration: The malware can exfiltrate data to cloud storage services, enabling the threat actor to steal sensitive information from the compromised system.\nRemote Access: The malware leverages bidirectional communication and system binary proxy execution techniques to enable remote access and control over the infected system.\nIngress Tool Transfer: The malware downloads executable files from URLs, indicating its ability to download additional malicious payloads or updates to enhance its capabilities.", "modified": "2025-10-16T05:02:02.452000", "created": "2025-08-26T17:27:01.650000", "tags": [ "http", "https", "kgs0", "kls0", "Malcerts", "Certificates", "Alberta", "GovAB", "UAlberta", "Speader" ], "references": [ "https://www.virustotal.com/graph/embed/g0cfdc207f7d14c9a9173c2f9b804dd92b17706ef2a8c41dba3e0af36353cd70b?theme=dark", "https://viz.greynoise.io/ip/analysis/408b56e2-1932-4975-b348-5a8a7c5991d4", "https://report.netcraft.com/submission/ATkcJjvq2iKUQhELceQs7q4WVU76Q8QG - Submitted IPv4s to Netcraft 08.29.25", "https://www.filescan.io/uploads/68b261771c81c34281d8af6d/reports/44924eb0-000d-42ad-944e-36bf849a406d/overview", "https://www.virustotal.com/gui/file/19ec86ce10a716e8e63804239052c96cfa0a7fb66c2820bda2e66358f622525c/community", "Added some URLs from FSio Report to URLScan" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada", "Netherlands", "Aruba", "Panama", "Poland", "Ukraine", "United Kingdom of Great Britain and Northern Ireland", "Anguilla", "United Arab Emirates", "Ireland", "Tanzania, United Republic of", "Philippines", "Japan", "Guatemala", "Mexico", "Bahamas", "Barbados", "Georgia", "Slovakia", "Sint Maarten (Dutch part)", "Kenya" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Government", "Technology", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 2, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 1639, "FileHash-MD5": 1481, "FileHash-SHA1": 1421, "FileHash-SHA256": 5969, "domain": 707, "hostname": 2311, "email": 5, "CIDR": 13 }, "indicator_count": 13546, "is_author": false, "is_subscribing": null, "subscriber_count": 133, "modified_text": "228 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67d9aa3446a826d09e3fcbd1", "name": "SSL [.] com - (Unenriched)", "description": "Analysis of phishing domain/service - ssl dot com\n\nUpdated 04.09.25: was able to pull IOCs from graph (vT): https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark", "modified": "2025-05-08T21:00:41.641000", "created": "2025-03-18T17:15:32.007000", "tags": [ "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "sandbox", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please", "javascript", "ansi", "pcap processing", "pcap", "prefetch8 ansi", "united", "date", "threat level", "show process", "hash seen", "programfiles", "win64", "comspec", "suspicious", "model", "hybrid", "close", "click", "hosts", "service", "general", "path", "encrypt", "strings", "contact", "SSL" ], "references": [ "https://www.filescan.io/uploads/67d9a1b50a7899f3579c2e15/reports/e94f370c-9b21-4fc7-be6d-a23f17a236a0/ioc", "https://hybrid-analysis.com/sample/225749540c7c585ae4567062cfb85980f0966cc3386540b5259471b8e2e5315e", "https://www.virustotal.com/gui/domain/ssl.com/details", "https://hybrid-analysis.com/sample/225749540c7c585ae4567062cfb85980f0966cc3386540b5259471b8e2e5315e/67d9a21c369b542db10921d1", "https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c/iocs", "https://www.virustotal.com/gui/collection/9ba080a708abedd7a118bdc24ce5cf5d842d87a86b89b9cc2191afe0f0d4231c/summary", "https://metadefender.com/results/url/aHR0cDovL3NzbC5jb20=", "https://pastebin.com/yYxyUWra - 03.18.25 = Paste to CERT Related Pulses/References", "https://www.virustotal.com/graph/embed/ga5becca9d0964040a5408d2de66d37952e5d92e7a3694941a8d11cc8bbf1fc94?theme=dark - 04.09.25" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1480", "name": "Execution Guardrails", "display_name": "T1480 - Execution Guardrails" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [ "Technology", "Education", "Government", "Telecommunications", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 218, "FileHash-MD5": 80, "FileHash-SHA1": 80, "FileHash-SHA256": 462, "domain": 31, "hostname": 225, "SSLCertFingerprint": 15, "email": 10 }, "indicator_count": 1121, "is_author": false, "is_subscribing": null, "subscriber_count": 129, "modified_text": "388 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6647908c09468f42bc1249f1", "name": "University of Alberta Azure/Entra Compromised Tenant Compromized Institution", "description": "Update: Academic/Non-Academic Staff Unions, 3rd party org, & some profs/students/alumni tried raising concerns to Admins/President/IST & CISO => Maintaining position they will not be looking into reported problems re: Cybersecurity under any circumstances = more time more problems? Attempts to advocate -> Harrass./Discrim./De-humanizing responses from admins (representing all folks - recorded). \nTenant ID: 718b8a9b-44d8-441a-a344-4294ea842172 = This pulse is 1 example (small) of problems.\n\nPrimary domain\nualbertaca.onmicrosoft.com\nCustom Domain Names\nualberta.ca\nVerified\nualbertaca.onmicrosoft.com", "modified": "2025-03-01T04:59:57.222000", "created": "2024-05-17T17:14:52.317000", "tags": [ "false", "true", "visible", "application", "microsoft teams", "microsoft azure", "office", "service", "dynamics", "hidden", "android", "explorer", "write", "connector", "test", "sharepoint", "live", "meister", "tools", "desktop", "spark", "front", "enterprise", "designer", "atlas", "premium", "assistant", "allow", "azureadmyorg", "game", "verify", "microsoft power", "channelsurfcli", "mtd1", "file transfer", "magnus", "microsoft crm", "youth" ], "references": [ "All - EnterpriseAppsList.csv", "AppRegistrationList.csv", "https://tria.ge/240517-vc7c1shc62/behavioral1", "https://tria.ge/240517-vdwb5shc71/behavioral1", "https://tria.ge/240517-vqxezaaa33/behavioral1", "https://tria.ge/240517-t9pc2ahb2t", "https://www.virustotal.com/graph/embed/g9453a2f58a3340f18120987c2b4d710dbb44ded88c434abf8894458a98c7bd4b?theme=dark", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/iocs", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/graph", "https://www.virustotal.com/gui/collection/b84a19d60ec7cd6d546a3f145dff8987128d0f499161118b46de22718d4713cd/summary", "https://www.filescan.io/uploads/66479b483313f70f0afe3dbb", "https://www.filescan.io/uploads/664799c9d5c40bffee6106d7", "Thor Scan: S-I9VvMTB6cZU", "https://www.filescan.io/uploads/664ba368d5c40bffee63b1ee/reports/31817751-6b5d-45df-8813-472aa6c756a3/overview", "https://www.filescan.io/uploads/664ba8a20663ff3c2ec6428a/reports/09d3d82a-7ec1-4804-93e5-5ae691fbb7f2/overview", "https://imp0rtp3.wordpress.com/2021/08/12/tetris/", "https://www.filescan.io/uploads/664bb0cd7c9fb1468fc610c5/reports/00c78e4d-2156-4906-a106-ebf7e2723251/overview", "https://www.filescan.io/uploads/664bb40fbc04dffa92240ca2/reports/398074f2-c7b6-40e9-9b5c-4225cc990473/overview", "https://www.filescan.io/uploads/664bb683bc04dffa92241015/reports/92b70fd6-97d7-4386-8465-f3fd79043843/overview", "https://tria.ge/240521-q4s79agb25/static1", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906322f5af13cdfb50be", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/664f906222f5af13cdfb5093", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767/reports/dda2c8a1-96fd-4c00-9cbc-c64c4685a804/overview", "https://www.filescan.io/uploads/666d69ff6b8dba248b414767", "https://viz.greynoise.io/analysis/33e9b33b-b932-4c43-9be1-3e2d6f9cb4b3", "https://viz.greynoise.io/analysis/e51d9a15-d802-4d51-9a70-17803dc2693a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b", "Above Malcore Strings: All - EnterpriseAppsList, AppRegistration, EnterpriseAppslist, exportGroup, exportUsers, HiddenApps - EnterpriseAppsList****", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00975ea31558d54fceea", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cff1a5ea31558d54fcbf6", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d0107b44401771de9ebf2", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d00356dd8f43b723a915a", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667cffec5ea31558d54fcda2", "https://www.hudsonrock.com/search?domain=ualberta.ca", "https://www.criminalip.io/domain/report?scan_id=13798622", "https://viz.greynoise.io/analysis/9635144c-db8f-47ab-a83a-5785602244cf - 07.03.24", "https://urlscan.io/search/#ualberta.ca", "https://www.virustotal.com/gui/collection/0ca12fcdd125ec5a5055180ee828b98d47b8b2e920660be559c2b602266b6b1d/iocs", "https://sitereport.netcraft.com/?url=http://ualberta.ca", "https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-42889-text4shell-exploit-attempts/", "https://tenantresolution.pingcastle.com/Search - Tenant still active (07.19.24) - Good jobs ya'll", "https://www.virustotal.com/graph/embed/gf1d5aa209c7f4fd086e4cb17dcd0af52421ea4bae87d49fe9b4076b382612f0e?theme=dark", "https://viz.greynoise.io/query/AS36351%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS60068%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS8075%20classification:%22malicious%22", "https://viz.greynoise.io/query/AS15169%20classification:%22malicious%22", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b - https://app.malcore.io/share/652553f6aec33d70a1dbbd25/667d01d2b67682d81c00f37b = Hidden Apps - Enterprise Apps List" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Healthcare", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 25, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 7, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1703, "FileHash-SHA256": 90472, "URL": 99185, "domain": 82954, "hostname": 39041, "FileHash-SHA1": 1624, "email": 4658, "CVE": 12 }, "indicator_count": 319649, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "678dd7c763b29de06765fb52", "name": "hxxps://www[.]unitedconservative[.]ca/ - 01.19.25", "description": "Alberta UCP Compromise (i.e. potential evidence of active foreign interference).\n\nhttps://www.virustotal.com/graph/embed/g3fdc926b2208411e8b138e8bd7069b721b2586a3a1b3445aa4f70a932701ccbe?theme=dark", "modified": "2025-02-19T05:02:21.540000", "created": "2025-01-20T04:57:43.300000", "tags": [ "pentester", "javascript", "completed", "risk", "load", "web application", "firewall", "google search", "ssl certificate", "http", "create account", "critical", "malware", "virus", "trojan", "ransomware", "static", "analysis", "indicator of compromise", "ioc", "extraction", "emulation", "online", "submit", "sample", "download", "platform", "eci3", "eci4", "p1737345680749", "gaz1", "uaax86", "uab64", "sid1737345681", "sct1", "seg0", "nsi1", "url", "sandbox", "scanner", "reputation", "phishing", "hash", "miss", "eval", "first seen", "fastly", "gmt file", "linux x8664", "accept", "fingerprint", "loading", "path", "patch", "write", "vxstream", "apt", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://app.pentester.com/scans/U2NhblR5cGU6NDcwNDM5Mw==", "https://www.filescan.io/uploads/678dca8c2d219e36112b2dd4/reports/1d6e1a12-c26b-4506-aeb4-a8f539b75bee/overview", "https://urlquery.net/report/0b60a80e-d3a5-4ca3-8644-190f32f28c65", "http://www.hybrid-analysis.com/sample/c047a23d603e9babce4db32175ecad13f5209027f24772908879d40bb392cefe", "https://www.virustotal.com/gui/url/6314e10278e55b5f02aa1f8e588ad7e20bf90534cd813c7eff24d261e8dc4250" ], "public": 1, "adversary": "", "targeted_countries": [ "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 734, "domain": 486, "email": 8, "hostname": 346, "FileHash-SHA256": 1814, "FileHash-MD5": 363, "FileHash-SHA1": 361, "SSLCertFingerprint": 24 }, "indicator_count": 4136, "is_author": false, "is_subscribing": null, "subscriber_count": 130, "modified_text": "467 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65d8ccb5b39c5a895bd0d7c2", "name": "More Certificates - A closer inspection of Accumulated Certs", "description": "An accumulation of Certificates from random places I find them - all from devices that have come into contact w. University of Alberta\nInteresting: https://www.trendmicro.com/en_us/research/21/i/analyzing-ssl-tls-certificates-used-by-malware.html", "modified": "2024-06-25T22:01:15.361000", "created": "2024-02-23T16:49:57.448000", "tags": [ "Certificates" ], "references": [ "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305/summary", "https://www.virustotal.com/graph/embed/g157209fb9f6643a8bc819522fd9e644c70ae0f541aa347b4aa19b1636ee6d556?theme=dark", "https://app.malcore.io/share/652553f6aec33d70a1dbbd25/65d8c22c9a6367d4742ddd59", "https://www.virustotal.com/gui/collection/d6ec969e2e2b76f2bdb3b75595c50b9bfea53d730e2be98936896a3d110c3531", "https://www.virustotal.com/gui/collection/d6ec969e2e2b76f2bdb3b75595c50b9bfea53d730e2be98936896a3d110c3531/iocs", "https://www.proofpoint.com/us/blog/cloud-security/community-alert-ongoing-malicious-campaign-impacting-azure-cloud-environments", "https://www.virustotal.com/gui/collection/bd65940df2423788fcc8623495dfdafdfd4236d93533db0256db5ff4347b65f9/iocs", "https://www.virustotal.com/gui/collection/33a61b144ffdece76551464e76866ab59346f0fa3f1f97380b401c1ac3f0d305/iocs", "https://viz.greynoise.io/analysis/6d4e20f2-7e0c-4d31-83a6-f973343f4dd1", "https://viz.greynoise.io/analysis/5f89eddc-2668-47a2-8f6b-d4d81a31180c", "https://us-test-sandbox.recordedfuture.com/240617-g49essyaqa", "https://us-test-sandbox.recordedfuture.com/240617-h4dhsszdkg", "https://us-test-sandbox.recordedfuture.com/240617-h53t3stfmj", "https://us-test-sandbox.recordedfuture.com/240617-jak68azfqa", "https://us-test-sandbox.recordedfuture.com/240617-h73bbszepa", "https://tria.ge/240617-g49essyaqa/behavioral1", "https://www.virustotal.com/graph/embed/g5d8ecedaf40940ec8c84636da79426ec6a5f316d51874b499b47a02a8cef4a21?theme=dark" ], "public": 1, "adversary": "Unknown", "targeted_countries": [ "Canada", "United States of America", "Germany", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government", "Healthcare" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1431, "CIDR": 1, "FileHash-MD5": 777, "FileHash-SHA1": 750, "URL": 1647, "domain": 572, "hostname": 526 }, "indicator_count": 5704, "is_author": false, "is_subscribing": null, "subscriber_count": 136, "modified_text": "705 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "661eb1a25bebe7ba625d3911", "name": "Catch of the Day - GreyNoise & URLscan - 04.15.24", "description": "Submitted to URLscan.io (04.15.24)\nand Greynoise.io (04.15.24)", "modified": "2024-05-16T17:03:57.859000", "created": "2024-04-16T17:13:06.584000", "tags": [], "references": [ "https://www.virustotal.com/gui/collection/4f7b46232272af163094a112706688ee89392e3643071042468b87b3f6cd49d6/graph", "https://www.virustotal.com/gui/collection/4f7b46232272af163094a112706688ee89392e3643071042468b87b3f6cd49d6/iocs", "https://viz.greynoise.io/analysis/9d0c02d0-24a8-4624-bbd7-cc7335f0a438" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Canada" ], "malware_families": [], "attack_ids": [], "industries": [ "Education", "Technology", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "Disable_Duck", "id": "244325", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_244325/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "URL": 10, "domain": 17, "hostname": 86 }, "indicator_count": 114, "is_author": false, "is_subscribing": null, "subscriber_count": 132, "modified_text": "745 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65336ac2b48ca82aeb55aeed", "name": "Woodynet.net,Id3.net and me.", "description": "The saga continues - But without invoking the jinx I'll focus on the data: Woodynet.net and Id3.net have been my (notso)friendly unoptoutable-dns-resolvers i'm assuming since all of this kicked off now nearing over 1.5+ years ago. I was finally able to dump my iPhone12 in which I had had since this all started and with that really gain some leg and breathing room. But, I'm still being pumped malicious software in the form of ISO's, linux packages, Windows Updates, and so on. And these are the nexus right here. I was able to net a solid bounty from Hybrid-Analysis including 15+ trojans, about 10 different backdoors, and a slew of other collateral that honestly surprised me as Criminalip and OTX weren't wanting to speak the same language in terms of IOC translations from them to the pulse. I'm trying in vain to find the beacon(s) or whatever they're using to keep persistence.", "modified": "2024-02-14T21:43:43.324000", "created": "2023-10-21T06:08:02.798000", "tags": [ "ip lookup", "port check", "vulnerability scanner", "attack surface", "cyber threat intelligence", "cti", "asm", "domain", "exploit", "phishing", "ip address", "united", "criminal", "historical", "information", "ai spera", "search engine", "ip search", "english english", "franais", "contact", "china", "ip location", "ip owner", "internet", "ip locator", "remember", "dp ip", "ip checker", "lookup", "strong", "summary", "ip information", "pricing login", "score", "sandbox", "malware", "analysis", "online", "submit", "vxstream", "sample", "download", "trojan", "apt", "ansi", "data", "decrypted ssl", "windows nt", "threat level", "runtime data", "okserver", "date", "ffffff", "plugin", "path", "stop", "mask", "accept", "click", "prop", "error", "template", "class", "core", "span", "body", "suspicious", "back", "cluster", "null", "form", "zbot", "bounce", "this", "linear", "window", "ticker", "tick", "import", "orbit", "config", "main", "android", "cookie", "trident", "vidc", "hybrid", "close", "hosts", "general", "local", "mozilla", "strings", "podcast", "team", "june", "criminal ip", "engine", "resource", "dropped file", "pattern match", "script", "noscript", "connectivity", "bare metal", "iframe", "enterprise", "discord", "twitter", "facebook", "meta", "media", "story", "tools", "tokyo", "rocket", "fullscreen", "next", "small", "bare", "font", "helvetica", "arial", "tbody", "dnssec", "woodynet", "paris", "hong", "hybrid analysis", "api key", "vetting process", "please note", "please" ], "references": [ "https://www.criminalip.io/asset/report/69.166.14.38", "https://www.criminalip.io/asset/report/114.215.222.125", "https://dnschecker.org/ip-location.php?ip=31.204.146.148", "https://www.criminalip.io/domain/report?scan_id=8544746", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/5efec3f6b03bcb74f200310b", "https://www.criminalip.io/images/search/domain/category/icon_page_redirections.svg", "https://www.criminalip.io/domain/report?scan_id=8544687", "https://hybrid-analysis.com/sample/ab4672795b872e01bc7411fec294eab22d54e97b133769a3de306d9633fa24d6/653366aac5f632cbbf0f0000", "https://hybrid-analysis.com/sample/020fe56e2d49ead60b67a1e20b43ee0846c493c7edb3118b34c5c964fc131794/6533667318fa4c29320ec174", "https://hybrid-analysis.com/sample/2acab1228e8935d5dfdd1756b8a19698b6c8b786c90f87993ce9799a67a96e4e" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Unknown", "display_name": "Unknown", "target": null } ], "attack_ids": [ { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1035", "name": "Service Execution", "display_name": "T1035 - Service Execution" }, { "id": "T1043", "name": "Commonly Used Port", "display_name": "T1043 - Commonly Used Port" }, { "id": "T1179", "name": "Hooking", "display_name": "T1179 - Hooking" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" } ], "industries": [ "individuals" ], "TLP": "white", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Merkd1904", "id": "196517", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 268, "hostname": 50, "domain": 61, "FileHash-MD5": 112, "FileHash-SHA1": 110, "FileHash-SHA256": 110, "email": 9 }, "indicator_count": 720, "is_author": false, "is_subscribing": null, "subscriber_count": 74, "modified_text": "837 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "626078c9aeb1f4837a1bfc7e", "name": "Malware hosting - allwest.com", "description": "\u00c2\u00a31.5m, \u00e2\u201a\u00ac2.4m \u00c3\u20ac\u00a6, is the source of a new version of the JavaScript code, which is being developed by the Apache web browser.", "modified": "2022-05-20T00:01:19.453000", "created": "2022-04-20T21:19:05.670000", "tags": [ "guji", "regexp", "cfunction", "event", "afunction", "efunction", "function", "xfunction", "jnull", "yefunction", "customevent", "typeof n", "typeof wpcf7", "nonce", "script", "please do", "not copy", "and paste", "this code", "cgrecaptchacfg", "ngrecaptcha", "recaptchaapi", "render", "filter", "typenumber", "totalvalue", "linear", "secs", "index", "nameregion", "typevalue", "rangeto", "customuserspeed", "code", "typeof define", "date", "click", "smoothscroll", "number", "property", "fancybox", "null", "false", "scroll", "stop", "speed", "body", "error", "this", "typeerror", "symbol", "generator", "typeof e", "copyright", "closure library", "reduceright", "string", "aw981889198", "uint8array", "quota", "aafunction", "void", "hj", "object", "hotjar", "email", "typeof symbol", "telefon", "array", "survey", "meta", "cookie", "keypress", "trident", "live", "fullscreen", "generic", "window", "widget", "ciudad", "adore", "experiment", "mutation", "qe", "fnumber", "xhfunction", "yhfunction", "awconversionid", "g0cbkgbkb3j", "xdfunction", "adfunction", "cdfunction", "ddfunction", "typeof hj", "surveyv2", "surveyisolated", "heatmapviewer", "notification", "sentry", "ua411335272", "gfvhxsm5zyl", "xmlhttprequest", "domparser", "typeof module", "html tags", "ox20trnf", "dom element", "typeof t", "class", "attr", "pseudo", "child", "udc66udc67", "ud83d", "ufe0f", "ud83e", "udc68udc69", "udfcbudfcc", "u2640u2642", "source", "image", "ud83dudc6cud83c", "bsnull", "gtmmwm9r93", "typeof", "facebook pixel", "pixel code", "iterator", "constantvalue", "globalvariable", "facebook", "service", "phonenumber", "boolean", "select", "strong", "input", "iframe", "android", "verify", "span", "enterprise", "form", "reload", "adwords", "linkedin", "hs pixel", "loader", "addcookiedomain", "hubspot", "vui", "anda", "tente", "outubro", "trackingclient", "srpanj", "rabu", "vasaris", "helvetica neue", "helvetica", "arial", "accept", "n nn", "policy", "done", "800px", "40px", "i18n", "blockedemail", "typeof i18n", "captcha", "please", "april", "august", "close", "february", "june", "klik", "download", "next", "blank", "este", "rserver", "mais", "r300", "typeof d", "path", "caca", "pfunction", "contenttype", "zfunction", "bfunction", "mvoid", "ofunction", "array int8array", "caregexp", "legacy" ], "references": [ "xfe-URL-allwest.com-stix2-2.1-export.json", "https://www.googleadservices.com/pagead/conversion_async.js", "https://www.google-analytics.com/analytics.js", "https://www.googletagmanager.com/gtag/js?id=G-FVHXSM5ZYL&l=dataLayer&cx=c", "https://www.googletagmanager.com/gtag/js?id=G-0CBKGBKB3J&l=dataLayer&cx=c", "https://js.hsleadflows.net/leadflows.js", "https://js.hs-banner.com/9251231.js", "https://js.hs-analytics.net/analytics/1650488100000/9251231.js", "https://js.hsadspixel.net/fb.js", "https://www.gstatic.com/recaptcha/releases/QENb_qRrX0-mQMyENQjD6Fuj/recaptcha__en.js", "https://connect.facebook.net/signals/config/661596171311072?v=2.9.57&r=stable", "https://connect.facebook.net/signals/plugins/identity.js?v=2.9.57", "https://connect.facebook.net/en_US/fbevents.js", "https://www.googleoptimize.com/optimize.js?id=GTM-MWM9R93", "https://www.allwest.com/wp-includes/js/wp-emoji-release.min.js?ver=5.9.3", "https://www.allwest.com/wp-includes/js/jquery/jquery.min.js?ver=3.6.0", "https://www.allwest.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2", "https://www.allwest.com/wp-content/plugins/svg-support/js/min/svgs-inline-min.js?ver=1.0.0", "https://www.googletagmanager.com/gtag/js?id=UA-41133527-3", "https://static.hotjar.com/c/hotjar-2836981.js?sv=5", "https://www.googletagmanager.com/gtag/js?id=UA-41133527-2", "https://www.googletagmanager.com/gtag/js?id=AW-CONVERSION_ID", "https://script.hotjar.com/modules.0076bf93c385ddf0ff58.js", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/981889198/?random=1650488340057&cv=9&fst=1650488340057&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2oa4i1&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fwww.allwest.com%2F&tiba=All%20West%20Communications%20-%20telecommunication%20company&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://www.googletagmanager.com/gtag/js?id=AW-981889198", "https://googleads.g.doubleclick.net/pagead/viewthroughconversion/981889198/?random=1650488340630&cv=9&fst=1650488340630&num=1&bg=ffffff&guid=ON&resp=GooglemKTybQhCsO&u_h=844&u_w=390&u_ah=844&u_aw=390&u_cd=32&u_his=1&u_tz=-240&u_java=false&u_nplug=0&u_nmime=0>m=2oa4i1&sendb=1&ig=1&data=event%3Dgtag.config&frm=0&url=https%3A%2F%2Fwww.allwest.com%2F&tiba=All%20West%20Communications%20-%20telecommunication%20company&hn=www.googleadservices.com&async=1&rfmt=3&fmt=4", "https://www.allwest.com/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.13.9", "https://www.allwest.com/wp-content/uploads/hummingbird-assets/c4be4d65e707f6328e3a72e79cfdfcb7.js", "https://www.allwest.com/wp-content/themes/allwestcommunications/js/jquery.main.js?ver=5.9.3", "https://www.allwest.com/wp-content/themes/allwestcommunications/js/custom.js?ver=5.9.3", "https://www.google.com/recaptcha/api.js?render=6Ld8S6EUAAAAAExG_6DO_Jj4DLY35ybebbA8R_eA&ver=3.0", "https://www.allwest.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=5.5.6", "https://www.allwest.com/wp-content/plugins/wp-smushit/app/assets/js/smush-lazy-load.min.js?ver=3.9.5", "https://js.hs-scripts.com/9251231.js" ], "public": 1, "adversary": "", "targeted_countries": [ "Tunisia" ], "malware_families": [ { "id": "hj", "display_name": "hj", "target": null }, { "id": "Qe", "display_name": "Qe", "target": null }, { "id": "Vui", "display_name": "Vui", "target": null }, { "id": "Outubro", "display_name": "Outubro", "target": null }, { "id": "Tente", "display_name": "Tente", "target": null }, { "id": "Anda", "display_name": "Anda", "target": null }, { "id": "Vasaris", "display_name": "Vasaris", "target": null }, { "id": "Rabu", "display_name": "Rabu", "target": null }, { "id": "Srpanj", "display_name": "Srpanj", "target": null }, { "id": "TrackingClient", "display_name": "TrackingClient", "target": null }, { "id": "ReduceRight", "display_name": "ReduceRight", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "adjadex1@gmail.com", "id": "187163", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 821, "URL": 1568, "domain": 251, "FileHash-SHA256": 70, "FileHash-MD5": 4, "FileHash-SHA1": 1 }, "indicator_count": 2715, "is_author": false, "is_subscribing": null, "subscriber_count": 69, "modified_text": "1473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "data.link", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "data.link", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780292286.3426852 }